|
25 | 25 | #include "tracing_data_handler.hpp" // For tracing query |
26 | 26 | #include "uuids.hpp" |
27 | 27 |
|
| 28 | +#include <openssl/bio.h> |
| 29 | +#include <openssl/dh.h> |
| 30 | + |
28 | 31 | #ifdef WIN32 |
29 | 32 | #include "winsock.h" |
30 | 33 | #endif |
@@ -58,47 +61,28 @@ using datastax::internal::core::UuidGen; |
58 | 61 |
|
59 | 62 | namespace mockssandra { |
60 | 63 |
|
61 | | -/* |
62 | | - * The following function was generated using the libressl utility, using |
63 | | - * the command : "openssl dhparam -dsaparam -C 512" |
64 | | - */ |
65 | | -#ifdef LIBRESSL_VERSION_NUMBER |
66 | | -#ifndef HEADER_DH_H |
67 | | -#include <openssl/dh.h> |
68 | | -#endif |
69 | | -DH* get_dh512() { |
70 | | - static unsigned char dh512_p[] = { |
71 | | - 0xBF, 0xA0, 0x2D, 0x47, 0x30, 0xB2, 0x81, 0x13, 0xEC, 0xC5, 0xB8, 0x79, 0xE1, 0x16, 0x6F, 0x2E, |
72 | | - 0x19, 0xB5, 0xC1, 0xE6, 0xCE, 0x15, 0x7E, 0x94, 0x00, 0x9D, 0x71, 0x4D, 0xB9, 0x73, 0xC8, 0x31, |
73 | | - 0xE3, 0xFB, 0xDF, 0x37, 0x6A, 0x7B, 0xD6, 0x1D, 0xA8, 0xB3, 0x78, 0x7A, 0x23, 0xE4, 0x1D, 0x91, |
74 | | - 0x34, 0x23, 0x74, 0x58, 0x96, 0xD2, 0x20, 0xEC, 0x61, 0xAC, 0x37, 0x96, 0x18, 0x33, 0xE6, 0x05, |
75 | | - }; |
76 | | - static unsigned char dh512_g[] = { |
77 | | - 0x08, 0x5E, 0x84, 0x3B, 0xC2, 0xD1, 0xEA, 0xB9, 0x39, 0xFA, 0xA4, 0x2A, 0x91, 0x79, 0xA3, 0x18, |
78 | | - 0x1E, 0x24, 0x7C, 0x4C, 0x0F, 0xFD, 0x2F, 0x5C, 0x38, 0xFB, 0xC4, 0xA4, 0x1B, 0xF3, 0xE8, 0xB7, |
79 | | - 0x61, 0x9E, 0xA1, 0x4F, 0x8E, 0xE3, 0xF8, 0x4B, 0x9C, 0xA7, 0xDD, 0xA5, 0x72, 0x01, 0x17, 0xF0, |
80 | | - 0xBF, 0x65, 0x53, 0xAB, 0x07, 0xFB, 0x07, 0xF4, 0xD8, 0xFA, 0x4D, 0xEB, 0x1A, 0x0E, 0x29, 0x0A, |
81 | | - }; |
82 | | - DH* dh; |
83 | | - |
84 | | - if ((dh = DH_new()) == NULL) return (NULL); |
85 | | - dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); |
86 | | - dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); |
87 | | - if ((dh->p == NULL) || (dh->g == NULL)) { |
88 | | - DH_free(dh); |
89 | | - return (NULL); |
90 | | - } |
91 | | - dh->length = 160; |
92 | | - return (dh); |
| 64 | +static DH* dh_parameters() { |
| 65 | + // Generated using the following command: `openssl dhparam -C 2048` |
| 66 | + // Prime length of 2048 chosen to bypass client-side error: |
| 67 | + // `SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small` |
| 68 | + |
| 69 | + // Note: This is not generated, programmatically, using something like the following: |
| 70 | + // `DH_generate_parameters_ex(dh, 2048, DH_GENERATOR_5, NULL)` |
| 71 | + // because DH prime generation takes a *REALLY* long time. |
| 72 | + static const char* dh_parameters_pem = |
| 73 | + "-----BEGIN DH PARAMETERS-----\n" |
| 74 | + "MIIBCAKCAQEAusYypYO7u8mHelHjpDuUy7hjBgPw/KS03iSRnP5SNMB6OxVFslXv\n" |
| 75 | + "s6McqEf218Fqpzi18tWA7fq3fvlT+Nx1Tda+Za5C8o5niRYxHks5N+RfnnrFf7vn\n" |
| 76 | + "0lxrzsXP6es08Ts/UGMsp1nEaCSd/gjDglPgjdC1V/KmBsbT+8IwpbzPPdir0/jA\n" |
| 77 | + "r+DXssZRZl7JtymGHXPkXTSBhsqSHamfzGRnAQFWToKAinqAdhY7pN/8krwvRj04\n" |
| 78 | + "VYp84xAy2M6mWWqUm/kokN9QjAiT/DZRxZK8VhY7O9+oATo7/YPCMd9Em417O13k\n" |
| 79 | + "+F0o/8IMaQvpmtlAsLc2ZKwGqqG+HD2dOwIBAg==\n" |
| 80 | + "-----END DH PARAMETERS-----"; |
| 81 | + BIO* bio = BIO_new_mem_buf(dh_parameters_pem, -1); // Use null terminator for length |
| 82 | + DH* dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); |
| 83 | + BIO_free(bio); |
| 84 | + return dh; |
93 | 85 | } |
94 | | -/* |
95 | | ------BEGIN DH PARAMETERS----- |
96 | | -MIGJAkEAv6AtRzCygRPsxbh54RZvLhm1webOFX6UAJ1xTblzyDHj+983anvWHaiz |
97 | | -eHoj5B2RNCN0WJbSIOxhrDeWGDPmBQJACF6EO8LR6rk5+qQqkXmjGB4kfEwP/S9c |
98 | | -OPvEpBvz6LdhnqFPjuP4S5yn3aVyARfwv2VTqwf7B/TY+k3rGg4pCgICAKA= |
99 | | ------END DH PARAMETERS----- |
100 | | -*/ |
101 | | -#endif |
102 | 86 |
|
103 | 87 | String Ssl::generate_key() { |
104 | 88 | EVP_PKEY* pkey = NULL; |
@@ -479,28 +463,13 @@ bool ServerConnection::use_ssl(const String& key, const String& cert, const Stri |
479 | 463 | } |
480 | 464 | EVP_PKEY_free(pkey); |
481 | 465 |
|
482 | | -#ifdef LIBRESSL_VERSION_NUMBER // SSL_CTX_set_tmp_rsa is a no-op on LibreSSL |
483 | | - DH* dh512 = get_dh512(); |
484 | | - if (!SSL_CTX_set_tmp_dh(ssl_context_, dh512)) { |
485 | | - print_ssl_error(); |
486 | | - DH_free(dh512); |
487 | | - return false; |
488 | | - } |
489 | | - DH_free(dh512); |
490 | | -#else |
491 | | - BIGNUM* factor = BN_new(); |
492 | | - BN_set_word(factor, RSA_F4); |
493 | | - RSA* rsa = RSA_new(); |
494 | | - RSA_generate_key_ex(rsa, 512, factor, NULL); |
495 | | - if (!SSL_CTX_set_tmp_rsa(ssl_context_, rsa)) { |
| 466 | + DH* dh = dh_parameters(); |
| 467 | + if (!dh || !SSL_CTX_set_tmp_dh(ssl_context_, dh)) { |
496 | 468 | print_ssl_error(); |
497 | | - BN_free(factor); |
498 | | - RSA_free(rsa); |
| 469 | + DH_free(dh); |
499 | 470 | return false; |
500 | 471 | } |
501 | | - BN_free(factor); |
502 | | - RSA_free(rsa); |
503 | | -#endif |
| 472 | + DH_free(dh); |
504 | 473 |
|
505 | 474 | SSL_CTX_set_verify(ssl_context_, SSL_VERIFY_NONE, 0); |
506 | 475 |
|
|
0 commit comments